How to Create a Self-Signed Certificate in Windows with PowerShell? | Windows OS Hub

The majority of Windows administrators, who are conversant with PKI, know about the MakeCert.exe tool, which allows to create a self-signed security. This joyride is function of the Microsoft .NET Framework SDK and Microsoft Windows SDK. On modern Windows versions ( Windows 10/8.1 and Windows Server 2019/2016/2012R2 ) you can create a self-signed certificate using built-in PowerShell cmdlet New-SelfSignedCertificate without using extra tools .

Using the New-SelfSignedCertificate PowerShell Cmdlet to Create a Self-Signed Certificate

To create a self-signed certificate with PowerShell, you can use the New-SelfSignedCertificate cmdlet, which is a part of PoSh PKI ( Public Key Infrastructure ) module :
To list all available cmdlets in the PKI module, run the command .
Get-Command -Module PKI
powershell pki module - manage certificates on windows
It is recommended to use self-signed certificates for testing purposes or to provide certificates for home Intranet services ( IIS, Exchange, Web Application Proxy, LDAPS, ADRMS, DirectAccess, etc. ) if you can not deploy PKI/CA infrastructure or buy a believe certificate from an external provider .
Tip. Don’t forget that you can easily get a free SSL certificate from Let’s Encrypt. Here’s an example of how to issue the Let’s Encrypt SSL certificate and . Don ’ t forget that you can easily get a rid SSL security from Let ’ s Encrypt. here ’ s an example of how to issue the Let ’ s Encrypt SSL certificate and bind it to the IIS locate on Windows Server To create a security, you have to specify the values of –DnsName ( name of a waiter, the diagnose may be arbitrary and different from localhost name ) and -CertStoreLocation ( a local anesthetic certificate store in which the generated security will be placed ). You can use the cmdlet to create a self-signed certificate on Windows 10 ( in this exercise ), Windows 8.1 and Windows Server 2019/2016/ 2012 R2 /2012 .
To create a new SSL certificate ( of the default SSLServerAuthentication type ) for the DNS name ( use a FQDN name ) and identify it to the list of personal certificates on a computer, run the follow command :
New-SelfSignedCertificate -DnsName -CertStoreLocation cert:\LocalMachine\My
powershell: New-SelfSignedCertificate cmdlet on windows 10, windows server 2016

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint                               Subject
----------                               -------
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)

If you run this command in non-elevated PowerShell session ( without local anesthetic admin permissions ), an error appears : If you have specified non-standard cryptanalytic provider ( CSP ), for example, using the -KeyAlgorithm "ECDSA_secP256r1" -Provider "Microsoft Smart Card Key Storage Provider" parameters, make sure it is installed on your computer ( the default is Microsoft Enhanced Cryptographic Provider CSP ). Otherwise, an erroneousness will appear :

New-SelfSignedCertificate: CertEnroll::CX509Enrollment::_CreateRequest: Provider type not defined. 0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF).

This command creates a raw certificate and imports it in the calculator ’ randomness personal certificate storehouse. Open the certlm.msc MMC snap-in, make certain that a fresh security appears in the Personal segment of the security storehouse .
By default option, a self-signed certificate is generated with the be settings :

  • Cryptographic algorithm: RSA;
  • Key length: 2048 bit;
  • Acceptable key usage: Client Authentication and Server Authentication;
  • The certificate can be used for: Digital Signature, Key Encipherment;
  • Certificate validity period: 1 year.

As you can see, the security properties indicate that this security can be used for Client Authentication, but it is besides valid for Server Authentication .
certlm.msc personal certificate storage
Using the Get-ChildItem cmdlet, you can display all the parameters of the created certificate by its thumbprint :
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object Thumbprint -eq 2175A76B10F843676951965F52A718F635FFA043 | Select-Object *
list self-signed certificate properties with powershell

PSPath                   : Microsoft.PowerShell.Security\Certificate::LocalMachine\My\2175A76B10F843676951965F52A718F635FFA043
PSParentPath             : Microsoft.PowerShell.Security\Certificate::LocalMachine\My
PSChildName              : 2175A76B10F843676951965F52A718F635FFA043
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (, Server Authentication (}
DnsNameList              : {}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 05/11/2021 06:19:42
NotBefore                : 05/11/2020 05:59:42
HasPrivateKey            : True
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 45...}
SerialNumber             : 6797F5E3F870478D4D3798BEB291DBF3
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : 2175A76B10F843676951965F52A718F635FFA043
Version                  : 3
Handle                   : 2834444631568
Issuer                   :
Subject                  :

Note. Such a self-signed certificate will expire in 1 year from the date of its creation. You can set a different certificate validity period using the –NotAfter option. For example, you can issue an SSL/TLS certificate with a three-year validity period with the following commands:
. Such a self-signed certificate will expire in 1 year from the date of its creation. You can set a different certificate cogency period using theoption. For case, you can issue an SSL/TLS security with a three-year validity period with the surveil commands : $todaydt = Get-Date
$3years = $todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname -notafter $3years -CertStoreLocation cert:\LocalMachine\My

You can create a certificate chain. First, a ancestor security ( CA ) is created, and based on it, an SSL server certificate is generated :
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable  -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA'  -HashAlgorithm 'SHA256'  -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName "" -Signer $rootCert -KeyUsage KeyEncipherment,DigitalSignature

In order to export the generate certificate with a private key to a password-protected PFX file, you need to specify its Thumbprint. It can be copied from the results of New-SelfSignedCertificate command. You besides need to specify the certificate security password and convert it to SecureString format :
$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\test.pfx -Password $CertPassword

The certificate populace key can be exported as follows :

Export-Certificate -Cert Cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer
Make sure the *.cer ( PFX ) certificate file appears in the intend directory. If you right-click it and select the “ Install Certificate ” menu detail, you can use the Certificate Import Wizard to add the certificate to the believe solution certificates on your calculator .
install certificate with file explorer on windows 10
blue-ribbon Cert Store placement – > Local Machine, Place all certificates in the follow store – > Trusted Root Certification Authorities .
install certificate to trusted root certification authorities
You can create a security and immediately import it into the Trusted Root Certificate store of the computer using the commands :
$SelfSignCert=New-SelfSignedCertificate …..
$certFile = Export-Certificate -Cert $SelfSignCert -FilePath C:\ps\export-certname.cer
Import-Certificate -CertStoreLocation Cert:\LocalMachine\AuthRoot -FilePath $certFile.FullName

This public key or the certificate file itself can be deployed to all computers and servers in the Active Directory sphere using GPO ( How to deploy certificates on domain computers using GPO ? ) .

Create a Self-Signed Certificate with Subject Alternative Names

One of the useful features of New-SelfSignedCertificate cmdlet is the ability to create a security with respective different names, Subject Alternative Names (SAN) .
Note. The Makecert.exe tool, unlike the New-SelfSignedCertificate cmdlet, can not generate SAN and Wildcard certificates .
If you want to create a certificate with multiple names, the first mention of the DnsName parameter will be used as the CN ( Common Name ) of the security. For example, let ’ s create a self-signed SAN certificate with the surveil names :

  • Subject Name (CN):
  • Subject Alternative Name (DNS):
  • Subject Alternative Name (DNS):

The command for creating a certificate will look like this :
New-SelfSignedCertificate -DnsName,, -CertStoreLocation cert:\LocalMachine\My
certificate with several Subject Alternative Name
besides, you can besides generate a wildcard certificate for the integral domain namespace. To do it, specify * as a server name .
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *

Generate a Self-Signed Certificate for Code Signing on Windows

In PoweShell 3.0, the New-SelfSifgnedCertificate cmdlet merely generates SSL certificates that can not be used to sign the driver, application or script code ( unlike certificates generated by the MakeCert utility ) .
In PowerShell translation 5.0 and former, a newfangled version of the New-SelfSifgnedCertificate cmdlet can now be used to issue Code Signing certificates .
To create a self-signed application code signing certificate, run the command :
$cert = New-SelfSignedCertificate -Subject "My Code Signing Certificate” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My
now you can sign your PowerShell Script with a self-signed certificate :
Set-AuthenticodeSignature -FilePath C:\PS\my_posh_script.ps1 -Certificate $cert
If you are receiving an UnknownError warn when executing the command, this means that the security is not trusted, because it is located in the drug user ’ s personal certificates store .
signing powershell script using self-signed cert - unknown error
You need to move it to the Trusted Root Certificate store ( preceptor ’ triiodothyronine forget to sporadically scan the Windows security settle store for untrusted and leery certificates and update the lists of hope root certificates ) .
Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"
After that, you can sign your PowerShell script with this self-signed certificate .

Using SHA-256 Self-Signed SSL Certificate in IIS on Windows Server IIS

Please note that when creating a self-signed certificate for IIS through the Internet Information Manager cabinet ( Create Self-Signed Certificate action menu detail ), an SSL security is created using the SHA-1 encoding algorithm. such certificates are considered untrusted by many browsers and can not be used to establish a dependable joining ( or you may see early SSL errors ). The New-SelfSignedCertificate cmdlet allows you to create a more democratic type of security using the SHA-256 encoding algorithm .
iis create self signed ssl certificate on windows server
You can bind a self-signed SHA-256 certificate generated with PowerShell to an IIS web site on Windows Server. If you create an SSL security using PowerShell and put it in the computer ’ sulfur certificate store, it will mechanically be available to IIS sites .
binding self signed sha256 certificate to iis site on windows server

Start the IIS Manager comfort, select your web site, and then in the Site Binding options, select the certificate you created and save your changes .

source :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


How to Show Profile Picture Instead of Video in Zoom Meeting

Zoom is a democratic and utilitarian outside meet and television conferencing tool. however, not everyone …

Leave a Reply

Your email address will not be published. Required fields are marked *